Enhancing an SELinux policy with file transitions_SELinux Cookbook-QQ阅读男生轻小说网

书名：SELinux Cookbook
作者名：Sven Vermeulen
本章字数：1512字
更新时间：2021-08-05 18:02:19

Enhancing an SELinux policy with file transitions

Up until now, we've only handled the configuration part on file contexts: if we would ask SELinux utilities to relabel files, then the changes we made would come into effect. However, unless you run with the restorecond daemon checking out all possible file modifications (which would really be a resource hog) or run restorecon manually against all files regularly, the newly defined contexts will not be applied to the files.

What we need to do is modify the local SELinux policy so that, upon creation of these files, the Linux kernel automatically assigns the right label to those files. This is handled through file transitions, which is a specific case of a type transition.

In a type transition, we configure a policy so that if a given domain creates a file (or other resource class) inside a directory with a specified label, then the created object should automatically get a specific label. Policy-wise, this is written as follows:

type_transition <domain> <directory_label>:<resource_class> <specific_label>

SELinux has also added in support for named file transitions (from Linux 2.6.39 onwards, and available in Gentoo, Fedora 16+, and Red Hat Enterprise Linux 7+). In that case, such a transition only occurs if the created resource matches a particular filename exactly (so no regular expressions):

type_transition <domain> <directory_label>:<resource_class> <specific_label> <filename>

Through the reference policy macro's, this is supported with the filetrans_pattern definition.

Getting ready

In order to properly define file transitions, we need to know what the source domain is that is responsible for creating the resource. For instance, a /var/run/snort/ directory might be created by an init script, but if there is no file transition, then this directory will be created with the type of the parent directory (which is var_run_t) instead of the proper type (snort_var_run_t).

So make sure to write down all the involved labels (as an example, we will use initrc_t for an init script, var_run_t for the parent directory, and snort_var_run_t for the target directory) before embarking on this recipe.

How to do it…

Defining a file transition can be done as follows:

Search through the SELinux policies to see if there is an interface that will provide a file transition from a given domain to snort_run_t:
```
~$ sefindif filetrans.*snort_var_run_t
```

Assuming that none have been found, search for interfaces that allow initrc_t created resources to transition to a given type:

~$ sefindif filetrans.*initrc_t
system/init.if: interface(`init_daemon_pid_file',`
system/init.if: files_pid_filetrans(initrc_t, $1, $2, $3)

Bingo! Now, let's create an enhancement for the snort SELinux module (through a mysnort policy file) with the following declaration in it:

policy_module(mysnort, 0.1)
gen_require(`
  type snort_t;
  type snort_var_run_t;
')
# If initrc_t creates a directory called "snort" in a var_run_t dir,
# make sure this one is immediately labeled as snort_var_run_t.
init_daemon_pid_file(snort_var_run_t, dir, "snort")

Build the new policy and load it. Then check with sesearch if a type transition is indeed declared:

~$ sesearch –s initrc_t –t var_run_t –T | grep "snort"
type_transition initrc_t var_run_t : dir snort_var_run_t "snort"

How it works…

Linux distributions that support SELinux already provide an SELinux policy that works in a majority of deployments. The default policy is extensive and works mostly out of the box. If specific changes are needed, chances are that these particular SELinux rules are already defined (as part of policy interfaces) and only need to be instantiated and loaded.

Policy interfaces usually exist in the following two types:

Interfaces whose subject is delivered through an argument, and where the object (against which operations are performed) and perhaps target (in our case, to which a transition should occur) are hardcoded
Interfaces whose subject is hardcoded and where the object, target, or both are arguments to the interface

An example of the first interface type that can be used in our example would look like the following code:

interface(`snort_generic_pid_filetrans_pid',`
  gen_require(`
    type snort_var_run_t;
  ')
  files_pid_filetrans($1, snort_var_run_t, dir, $2)
')

We could then call this interface like this:

snort_generic_pid_filetrans_pid(initrc_t, "snort")

However, such interfaces would be a burden to maintain. For every daemon support added to the system, the init policy would need to be changed with a named file transition together with the newly added policy rules for the daemon. Considering the amount of daemons that can run on a system, the init policy would literally be filled with a massive amount of named file transitions—at least one for every daemon.

The interface declaration that we encountered in the example is much more manageable. The interface is meant to be called by the daemon policy itself and immediately ensures that the initrc_t type can create directories of the given type (snort_var_run_t) inside the generic run directory (var_run_t). New additions to the policy leave the init policy at rest, making maintenance of the policies easier.

Finding the right search pattern

To find the right pattern, we use the sefindif interface to search through the available interfaces. Finding the right expression is a matter of experience.

As we know, we want to search for file transitions, the line we are looking for will contain filetrans_pattern. Then, one of the arguments involved is the type we are going to transition to (snort_var_run_t). So the expression we used in the example was changed to filetrans.*snort_var_run_t. As that didn't result in anything, the next search involved the domain from which a transition has to be made (initrc_t) so that the expression was changed to filetrans.*initrc_t.

However, let's assume we don't know that filetrans_pattern needs to be searched for. The type itself (snort_var_run_t) or domain (initrc_t) might be sufficient to search through, like in the following searches:

~$ sefindif snort_var_run_t
~$ sefindif initrc_t

From the resulting list of interfaces, we can then see if an interface is available that suits our needs.

Patterns

Patterns such as filetrans_pattern are important supporting definitions inside the reference policy. They bundle a set of permissions related to a functional approach (such as read files, which are handled through a read_files_pattern) and are not tied to a particular type (unlike interfaces).

The need for patterns comes from the very fine-grained access controls that SELinux has on Linux activities. Reading a file is a nice example: it is not sufficient to just allow a type to perform the read action:

allow initrc_t snort_var_run_t:file read;

Most applications first check the attributes of the file (getattr) and open the file before they can read the file. Depending on the purpose, they might also want to lock the file or perform I/O operations on it through ioctl. So instead of just the preceding access vector, the rule was changed to:

allow initrc_t snort_var_run_t:file { getattr lock open read ioctl }

The reference policy provides a single permission set for this called read_file_perms, which turns the access vector into the following:

allow initrc_t snort_var_run_t:file read_file_perms;

Second, the policy developers often want to allow a domain to read a file inside a directory that is labeled similarly. For instance, a snort_var_run_t file can be at /var/run/snort/snort.pid with the /var/run/snort/ directory also being labeled as snort_var_run_t. So we would also need to grant the initrc_t type search rights inside the directory—which again is a set of permissions as can be seen from the search_dir_perms definition:

~$ seshowdef search_dir_perms
define(`search_dir_perms',`{ getattr search open }')

Instead of creating multiple rules for this, a pattern is created, called read_files_pattern, which looks like the following:

~$ seshowdef read_files_pattern
define(`read_files_pattern',`
 allow $1 $2:dir search_dir_perms;
 allow $1 $3:file read_file_perms;
')

This allows policy developers to use a single call:

read_files_pattern(initrc_t, snort_var_run_t, snort_var_run_t)

To see the various patterns supported for policy development, use sefinddef with the 'define.*_pattern' expression:

~$ sefinddef define.*_pattern

Using patterns allows developers to create readable policy rules using a functional approach rather than a full sum-up of each individual access vector.

There's more...

In the snort_generic_pid_filetrans_pid interface presented earlier, we used a named file transition: the transition occurs only if the filename passed on as the last argument matches the filename of the file created.

Named file transitions take precedence over normal file transitions. A good example for this are the file transitions supported for the initrc_t domain:

~# semanage –s initrc_t –t var_run_t –T
Found 2 semantic te rules:
 type_transition initrc_t var_run_t : file initrc_var_run_t;
 type_transition initrc_t var_run_t : dir initrc_var_run_t;
Found 16 named file transition rules:
type_transition initrc_t var_run_t : dir udev_var_run_t "udev";
type_transition initrc_t var_run_t : dir tor_var_run_t "tor";
…

In this case, if an init script creates a directory called udev or tor (or any of the other transition rules that are not shown in the example), then a proper file transition occurs. If the filename doesn't match, then a transition occurs to the initrc_var_run_t type.

File transitions on regular files and directories are the most common, but transitions can also occur on various other classes, such as sockets, FIFO files, symbolic links, and more.